On Tue, Sep 27, 2022 at 09:03:21AM -0700, Evan Green wrote: > On Fri, Sep 23, 2022 at 6:30 AM Jarkko Sakkinen <jarkko@xxxxxxxxxx> wrote: > > > > On Wed, Sep 21, 2022 at 04:15:20PM -0400, Mimi Zohar wrote: > > > > > Enabling hibernate or IMA shouldn't be an either-or decision, if at all > > > possible. The main concern is that attestation servers be able to > > > detect hibernation and possibly the loss of measurement > > > history. Luckily, although the PCRs are reset, the TPM > > > pcrUpdateCounter is not. > > > > > > I would appreciate including a "hibernate" marker, similar to the > > > "boot_aggregate". > > > > Yeah, I guess that would not do harm. > > I think I understand it. It's pretty much exactly a boot_aggregate > marker that we want, correct? > > Should it have its own name, or is it sufficient to simply infer that > a boot_aggregate marker that isn't the first item in the list must > come from hibernate resume? I think it should have its own name, because a subsequent boot_aggregate is inserted when we kexec into a new kernel. J. -- "Why? - because it's f***ing there!" -- Edmund Hilary This .sig brought to you by the letter I and the number 30 Product of the Republic of HuggieTag
